[英]How to add claims to windows user
I have a dotnet core api app with windows app enabled. 我有一个启用了Windows应用程序的dotnet核心api应用程序。 We have bunch of users which have special permission 'admin' and are stored in database, rest all have default permission 'user'. 我们有很多用户拥有特殊权限'admin'并存储在数据库中,其余都有默认权限'user'。 I want users to have extra claims who all are in database. 我希望用户有额外的声明,他们都在数据库中。 Also I want to store more information like emailid, employee number(which I have to query from LDAP manually) 此外,我想存储更多信息,如emailid,员工编号(我必须手动从LDAP查询)
What I thought is I will have one api, say api/auth
which will capture the current user and add claims based on database and ldap query and other api end points can use it. 我想的是我会有一个api,比如api/auth
,它将捕获当前用户并根据数据库和ldap查询添加声明,其他api端点可以使用它。
But I am not able to get how to add and persist claims between different api end points. 但我无法获得如何在不同的api端点之间添加和保留声明。
Is it possible, and or is it a good way? 是否可能,或者它是一种好方法? I have second option to hit the database on each api call. 我有第二个选项来在每次api调用时点击数据库。
Edit 1: I have written a middleware which intercepts all api request and searches LDAP/database, creates an ClaimsIndentity
and add it to Users.Identity
. 编辑1:我编写了一个中间件拦截所有api请求并搜索LDAP /数据库,创建一个ClaimsIndentity
并将其添加到Users.Identity
。 Then it is available through rest of the call. 然后通过其余的通话即可使用。
Edit 2: When I am @Ondra Starenko's answer, I am not able to reference IClaimsTransformer
or app.UseClaimsTransformation
. 编辑2:当我是@Ondra Starenko的回答时,我无法引用IClaimsTransformer
或app.UseClaimsTransformation
。 Is there something else I need to include. 还有其他我需要包括的内容。
Platform: .NET core 2.1.3 平台:.NET核心2.1.3
You can add Claims to windows user in the ClaimsTransformer
class. 您可以在ClaimsTransformer
类中向Windows用户添加声明。
public class ClaimsTransformer : IClaimsTransformer
{
public Task<ClaimsPrincipal> TransformAsync(ClaimsTransformationContext context)
{
//add new claim
var ci = (ClaimsIdentity) context.Principal.Identity;
var c = new Claim(ClaimTypes.Role, "admin");
ci.AddClaim(c);
return Task.FromResult(context.Principal);
}
}
And add this line to Startup: 并将此行添加到Startup:
app.UseClaimsTransformation(o => new ClaimsTransformer().TransformAsync(o));
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
loggerFactory.AddConsole(LogLevel.Debug);
loggerFactory.AddDebug();
app.UseClaimsTransformation(o => new ClaimsTransformer().TransformAsync(o));
app.UseStaticFiles();
app.UseMvc();
}
For more information see this: add claims to windows identity . 有关更多信息,请参阅: 向Windows身份添加声明 。
In .NET Core 2+ IClaimsTransformer has been deprecated. 在.NET Core 2+中,IClaimsTransformer已被弃用。 Instead use IClaimsTransformation: 而是使用IClaimsTransformation:
using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authentication;
public class ClaimsTransformer : IClaimsTransformation
{
public Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
{
var ci = (ClaimsIdentity) principal.Identity;
var c = new Claim(ci.RoleClaimType, "Admin");
ci.AddClaim(c);
return Task.FromResult(principal);
}
}
Also note that you should not use "ClaimTypes.Role". 另请注意,您不应使用“ClaimTypes.Role”。 You should use ci.RoleClaimType - Especially if you have Windows Authentication enabled. 您应该使用ci.RoleClaimType - 特别是如果您启用了Windows身份验证。 Under Windows Authentication ci.RoleClaimType evaluates to some string value that will get picked up correctly as a role, whereas ClaimTypes.Role will not. 在Windows身份验证下,ci.RoleClaimType计算为某个字符串值,该值将作为角色正确获取,而ClaimTypes.Role则不会。
Finally inject your ClaimsTransformer by adding it to the ConfigureServices method of Startup.cs: 最后通过将其添加到Startup.cs的ConfigureServices方法来注入您的ClaimsTransformer:
services.AddSingleton<IClaimsTransformation, ClaimsTransformer>();
You should now be able to add Role based Authorization attributes to your Controller methods and these will now be evaluated correctly: 您现在应该能够将基于角色的授权属性添加到Controller方法中,现在可以正确评估这些属性:
[Authorize(Roles = "Admin")]
[HttpGet("[action]/{id}")]
public User GetUser([FromRoute] int id)
{
UserLogic ul = new UserLogic();
return ul.GetUser(id);
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.